A single typo let hackers steal $400,000 from a bitcoin rival

Typos aren't just a headache — they can sometimes have very costly consequences.

On Friday, digital currency Zcoin announced that a typographical error had let an unidentified attacker make a profit of around $400,000 (£320,000).

Zcoin is similar to Bitcoin — it's a digital currency powered by cryptography, and without any single central bank. It's based on Zerocoin, a software protocol that was developed to to provide its users with "complete financial privacy and anonymity."

But in implementing it, the Zcoin made a single screw-up. "Yesterday, our team found a bug in our implementation of Zerocoin," Zcoin community manager Reuben Yap wrote in a blog post on Friday. "A typographical error on a single additional character in code allowed an attacker to create Zerocoin spend transactions without a corresponding mint."

In other words, they got a single letter wrong in their code — and this let a hacker steal coins by cashing out from single transactions multiple times.

Yap emphasises that there's nothing wrong with Zcoin's cryptography — it was just the typo that was the problem. "The exploit happened due to the bug in the code and not from any weakness in the cryptography. The bug from the typo error allowed the attacker to reuse his existing valid proofs to generate additional Zerocoin spend transactions," he wrote.

In short: It's human error, they argue, rather than any fatal flaw in the Zcoin project.

The attacker evaded detection for weeks by slowly making payments and withdrawals. "From what we can see, the attacker (or attackers) is very sophisticated and from our investigations, he (or she) did many things to camouflage his tracks through the generation of lots of exchange accounts and carefully spread out deposits and withdrawals over several weeks," Yap wrote.

"We estimate the attacker has created about 370,000 Zcoins which has been almost completely sold except for about 20,000+ Zcoin and absorbed on the market with a profit of around 410 BTC. In other words, the damage has already been mostly absorbed by the markets."